Security Assessment versus Security Audit?

If you are a member of the Board and the topic of a cybersecurity audit comes up, it is important to define what it is and what it is not. Audits are often used to evaluate the effect of policies. While sometimes security audits and assessments are referred to interchangeably, they really are not the same thing.

An assessment is an evaluation that seeks information to better understand a specific situation (people, process, and technology) and make informed decisions as it relates to that specific situation. An audit, on the other hand, typically involves verifying the system against a holistic standard that results in a pass or fail outcome.

An audit often contains different assessments, with a combination of conceptual and technical reviews. A security audit might include conducting physical, access control, and vulnerability assessments. But, a security audit will also likely include evaluating design controls and processes, standard operating procedures, disaster recovery plans, as well as several other components.

Audits can be costly and, depending on the scope, may only provide broader insights into an organization's cyber health. For example, cyber health could be defined in terms of the presence of controls. But, if what is really needed is to evaluate the effectiveness of those controls in mitigating risk? If the effectiveness of a control is desired, then asking more questions around specific assessments might be warranted. For example, the auditor may determine that the organization checks the box because a firewall is in place on company devices. But, if the firewall is not properly configured, then the firewall might not even work.

A formal audit is typically performed by an external third-party vendor that has no conflict-of-interest. It is not uncommon for larger companies to have internal audit teams running assessments throughout the year to protect the company, as well as better prepare for the external audit. A security audit is often a more systematic evaluation of the organization's information system compared to an established set of criteria. Processes like ISO27000 provide important frameworks and details that have influenced both assessments and audits.

When trying to determine a company's cybersecurity posture, there are a variety of different assurance actions that can be taken. Cybersecurity audits and assessments are helpful tools in assuring that policies have been applied and that there are enforceable controls in place to ensure the correct application of policy across the organization.

#Cybersecurity #VendorManagement #CyberAudits #CyberAssessments

About the Author

Shannon Block is an entrepreneur, mother and proud member of the global community. Her educational background includes a B.S. in Physics and B.S. in Applied Mathematics from George Washington University, M.S. in Physics from Tufts University and she is currently completing her Doctorate in Computer Science. She has been the CEO of both for-profit and non-profit organizations. Currently as Executive Director of Skillful Colorado, Shannon and her team are working to bring a future of skills to the future of work. With more than a decade of leadership experience, Shannon is a pragmatic and collaborative leader, adept at bringing people together to solve complex problems. She approaches issues holistically, helps her team think strategically about solutions and fosters a strong network of partners with a shared interest in finding scalable solutions. Prior to Skillful, Shannon served as CEO of the Denver Zoo, Rocky Mountain Cancer Centers, and World Forward Foundation. She is deeply engaged in the Colorado community and has served on multiple boards including the International Women's Forum, the Regional Executive Committee of the Young Presidents’ Organization, Children’s Hospital Quality and Safety Board, Women’s Forum of Colorado, and the Colorado-based Presbyterian/St. Luke’s Community Advisory Council. Follow her on Twitter @ShannonBlock or connect with her on LinkedIn.

Visit www.ShannonBlock.org for more on technology tools and trends.